IT staff at the world's largest securities transaction clearing house are facing a rough few days after a Reg reader was inadvertently deluged with emails leaking session IDs, transfers, and account details for executives at big-name customers.
The Depository Trust & Clearing Corporation (DTCC) handles the vast bulk of stock …

Later that day they contacted me and told me that someone had entered a made up email address to perform some tests on the system, had forgotten to remove it, and hadn't realised the email address might actually belong to someone. Oh dear.

Re: RE: made up email address

Re: RE: made up email address

I have a domain which I mainly use for online stuff, like shopping. I got fed up with spam so I wanted to be able to find out who 'leaked' my address (eg. shop in john lewis, give them email [email protected]) All emails get through to my administration address. I figured I'd chosen a sufficiently random, but still memorable, domain name, but turns out someone might have had the same idea for testing.

Yup. Saw that done in a hardware validation lab. Configured & tested a template system, and then made about 100 copies. Didn't discover the random "send alert here" email address was live for nearly a week. Had to go around and hand-edit all of the cloned systems individually.

Re: He had to loop LotR to fall asleep??

Re: He had to loop LotR to fall asleep??

Sounds like he is like me. I have nights were Ben Stein could narrate the tax code and I'd still be up. Hell I could watch Ben Stein d play in east enders and I'd still be up , wait would that just drive me insane ?

Re: Typo

Surely it needn't eat his data plan

Just stick a filter on the sender email address (I'm guessing that at the very least it was all from the same domain, if not the same email address) and stuff them all into a separate folder that is not set to sync with the phone.

Re: I'm getting pretty sick of this "human error" crap

"indicates just how poorly designed and implemented these systems are"

I love these type of comments....It's the IT equivalent of watching a professional footballer cock up a penalty and then screaming about what they've done wrong, how you would have done it better and how much less you would ask for in wages to do it....

Yes, yes...I am sure that one of the largest financial institutions in the world has poorly written and implemented systems and you and your "degree" from some old poly can do a much better job single handed whilst moonwalking and gargling the alphabet backwards.

Re: I'm getting pretty sick of this "human error" crap

1. I don't have a '"degree" from some old poly' -- I have 32 years' experience in IT.

2. One of the projects I worked on at the financial institution I work for was setting up and testing an e-mail filter to prevent "human error" from sending out e-mails containing sensitive customer information.

3. I don't believe that system will catch everything (though it would most likely have caught this crap), and I continue to work to improve security and security awareness at my institution, because

4. I don't believe that the false illusion of security benefits anyone. That was my point, not some misguided armchair quarterbacking. Pretty much all IT systems in use today have security flaws, and we don't make progress by dismissing evidence of those flaws as "human error".

I will bet ...

the whole problem was when a sysadmin decided he wanted to receive alerts at his personal email (gmail) account, and had a finger-fumble moment.

The real question is why on earth such a mission critical system was happy to accept an UNVERIFIED email address as the endpoint for diagnostic emails. Almost every system + dog nowadays insists on clicking on an emailed link to verify the address before using it.

Re: a quadrillion

Re: a 10^15 dollar

At what point does 1.7 quadrillion (about $243,000), per year, have any relationship to the real world?

NOW!!

I guess these are not always different quadrillions sloshing around in there, indeed they are quite like the same going around like fat cows in circles, though I would wager that Bernanke's 65 billion dollar per month of QEn are in there SOMEWHERE.

example.org

Although this was a mere mistake on a live system, this sort of thing would be inexcusable if done deliberately for testing purposes or otherwise. This is one of the reasons why "example.org" exists. It was created for purposes very much akin for this.

Re: example.org

example.org is not the only one available, either... [email protected] is also available and has been for several decades... if [email protected] doesn't work, simply add a number to it... they're all flushed into the bitbucket...

No one's paying attention

This is just another example of what happens when no one pays attention.

Some other examples from personal experience, not entirely IT related, of the results of no one paying attention:

1. A weekly e-flyer for a pharmacy chain, in PDF format, but really just a string of jpegs with such low resolution you couldn't read the text. No way to tell just what this week's specials were! No one bothered to actually look at the end result to be sure it was legible. Strangely enough, an email to the president's email address actually got to him, and they cleaned up their act promptly. I imagine somebody got their fingers slapped over such stupidity.

2. A big illuminated sign by the highway saying "For latest road condition information, check http://....." With all the hoopla about the adverse effects on driving of using cell phones, you'd think that a sign that was an open invitation to fire up your browser would be dismissed off hand as counterproductive.

3. An emergency response program that has designated routes for emergency vehicle use only. Problem: all the routes between different parts of the metroplex are so designated: you simply cannot get from part A where people work to part B where they live without using one of these highways. If we have a big earthquake (certain to happen sooner or later), everybody's going to want to rush home to make sure things are okay, that their kids in school are okay, etc. There aren't enough cops to block the resultant flood of traffic; and besides, the cops will have other things to do after a big shake. [The city I live in has very few road links between some sections.] This particular stupidity also involves failure to take into account human nature which, as the old adage teaches us, never changes. Plus the common bureaucratic position that making a rule against something actually stops people from doing it.

In the present case, somebody didn't bother to look at the email address they'd keyed to be sure it was correct, to say nothing of the other criticisms of this fiasco.

Tradition requires

Bah!

"Misdirected"? Not so. Some inattentive berk typed in a valid email address in whatever box asked for it. The fact that it was not the address he/she intended is not important. Let's assign blame where it belongs: some techno-tw*t who probably broke umpteen company regulations (not to mention conditions of employment) to steer information to his or her private email account instead of a safe (and probably audited) company one. That this person then didn't double check the address is just par for the course.

If company rules-of-conduct don't make that a fingerbreaking offense, they should.

And where was the firewall nannyware when it was needed? Why aren't all outbound e-mail addresses whitelisted?

The more I think on it the more there seems to be a cultural/systemic problem at the root of this.